Under the US Health Insurance Portability and Accountability Act (HIPAA),
protected health information (PHI) that is linked based on the following list of 18 identifiers must be removed,
(Source: http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/deident.html),
- Names;
- All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
- The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
- The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- Currently, 036, 059, 063, 102, 203, 556, 592, 790, 821, 823, 830, 831, 878, 879, 884, 890, and 893 are all recorded as "000".
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints;
- Full face photographic images and any comparable images; and
- Any other unique identifying number, characteristic, or code, except as permitted by the re-identification rules, below; and
Summary of UCLA Health System's HIPAA Policies
1. Protection of Health Information
UCLA Health System Workforce members may not disclose, share or otherwise use any individually identifiable health information except for treatment, payment, and health care operations (referred to as "TPO") unless expressly authorized by the patient or as otherwise permitted by law. Patients also have the right to request that UCLA restrict how their PHI is used or disclosed.
2. Classification of PHI Information
All information contained in patient medical and billing records is confidential regardless of format. These confidentiality protections extend not only to the patient's medical record, but also to information from the record. In addition, special laws govern the disclosure of mental health, substance abuse, and HIV test result information.
3. Notice of Privacy Practices
The Privacy Rule requires UCLA Health System to give each patient detailed information about UCLA Health System's privacy practices, in the form of the University's "Notice of Privacy Practices" (see "
Other Forms and Documents"). All uses and disclosures of PHI by UCLA Health System and its workforce members must be consistent with the Notice of Privacy Practices.
4. Authorization to Use PHI
The Privacy Rule requires providers to obtain a
written authorization from an individual before using or disclosing a patient's PHI for purposes other than for TPO, unless otherwise authorized by law.
5. Patient Access to PHI
The Privacy Rule gives an individual (or that person's personal representative) the right of access to inspect and obtain a copy of the individual's own PHI. Providers may deny an individual access to his or her information under certain circumstances only if specified procedures are followed.
6. UCLA Health System Employee (Workforce) Responsibilities to Maintain Confidentiality of PHI
All members of the UCLA Health System workforce are responsible for maintaining the security and confidentiality of PHI on behalf of UCLA Health System patients.
- Minimum necessary: When using or disclosing PHI, a provider must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended use, disclosure, or request.
- Employee access: All members of the UCLA Health System workforce should only read and use PHI as necessary for their job functions.
7. Release of PHI to Third Parties
In light of the specific accounting and disclosure requirements imposed by HIPAA, all copying of medical records for release to third parties or agencies must be completed by, or coordinated with,
UCLA Health Information Management Services.
8. Privacy Requirements Relating to Research
Research is not considered to be a part of TPO under the Privacy Rule, except for certain studies related to health care operations, such as research that is also considered quality assurance and utilization management activities. Consequently, the use or disclosure of PHI for research purposes generally requires either: (1) a written authorization from the individual whose information is collected or (2) a waiver of authorization from UCLA's IRB. The
IRB is responsible for reviewing and approving the authorization form that is used for research.
The Privacy Rule permits the use and disclosure of a limited data set of information for research purposes, without patient authorization, provided certain requirements are met, including entering into a Data Use Agreement with the recipient of the information.
Health Information that does not identify an individual ("de-identified information") is generally not considered PHI and may be disclosed without the patient's authorization. In order to de-identify PHI, UCLA Health System must remove all 18 of the HIPAA identifiers specified in the HIPAA Privacy Rule.
9. Disclosures to Business Associates
The Privacy Rule requires UCLA Health System to enter into a confidentiality agreement with certain third parties when UCLA Health System shares PHI with the third party (e.g., non-health care providers) for TPO purposes. This is called a business associate agreement ("BAA"). A business associate relationship exists when an individual or entity, acting on behalf of UCLA Health System, assists in the performance of a function or activity involving the use or disclosure of UCLA Health System's PHI. The UCLA
Purchasing Departmentsare responsible for completing the University's HIPAA-compliant business associate agreement with outside vendors that provide goods or services to UCLA Health System. The UCLA Health System's form BAA can be found on the
UCLA Health System Office of Compliance Services website.
10. Marketing and Fundraising
In general, PHI may not be disclosed for marketing purposes without the patient's authorization. PHI includes demographic information, without any accompanying diagnosis or treatment information. An authorization must be obtained from the patient even to use the patient's address or phone number for marketing.
In addition, all fundraising materials sent to an individual must describe how the individual can opt out of receiving further fundraising communications.
11. Media Inquiries
Both California law and the Privacy Rule restrict the amount of information that may be provided to the media without the patient's authorization. In general, UCLA Health System may release the condition and location of an inpatient, outpatient, or emergency patient, but only if the inquiry specifically contains the patient's name, and only if the patient has not requested that the information is withheld from disclosure. No information can be given if a request does not include the patient's name or if the patient has requested that information be withheld.
A patient's condition may only be described in general terms that does not communicate specific medical information about the individual. For example, the following general terms are acceptable: "undetermined," "good," "fair," "serious," "critical," or "deceased."
12. Safeguards to Protect PHI
Reasonable safeguards (physical, electronic and administrative) are to be used at all times to ensure that confidential information is not disclosed to individuals who are not authorized to receive the information and to minimize incidental disclosures of PHI. Examples of safeguards (such as locking medical and billing records at the end of the day, not sharing passwords, etc.) can be found on the
UCLA Health System Office of Compliance Services website, and in UCLA Health System policies, such as Policy HS 9401.
13. UCLA Health System Workforce Training and Education
The Privacy Rule requires that providers train their "workforce" on privacy policies and procedures at a level appropriate for the workforce members to carry out their roles and responsibilities. All members of the UCLA Health System workforce will be provided with essential instruction regarding Privacy Rule requirements and additional training specific to their job responsibilities.
14. Unauthorized Release and Disclosure
The unauthorized release of PHI is a violation of law, with potential civil and/or criminal penalties and fines. In addition, workforce members who are found to have violated the law and/or UCLA Health System policies may be subject to disciplinary action, up to and including termination. Workforce members should immediately report any unauthorized release or disclosure of PHI to the Privacy and Information Security Offices and their supervisor.
